Setting Up Log Service to Analyze Windows Event Logs

Solution Design and Implementation

Installing the Winlogbeat and Logtail Agent Locally on the AD Server

winlogbeat.event_logs: 
- name: Security
ignore_older: 168h
output.elasticsearch:
hosts: ["elasticsearch.elastic.local:9200"]
template.name: "winlogbeat"
template.path: "winlogbeat.template.json"
template.overwrite: false

Configuring Logtail and Logstore

Log Analysis Cases by Using SQL Scripts

Logon Failure Statistics

* and event_id: 4625 and event_data.TargetDomainName: LOGSRCHDEMO

Logon Attempt against Disabled Account

* and event_id: 4625 and event_data.TargetDomainName: LOGSRCHDEMO and event_data.SubStatus: 0xc0000072

User Added to Admin Group

* and event_id: 4732 | select date_format(date_trunc('minute', __time__), '%m-%d %H:%i')  as time, count(1) as event_count group by time order by time limit 1000

Consecutive Logon Failures

(event_id: 4625 or event_id: 4624)   | select  date_trunc('minute' ,__time__) as time, computer_name to_system, "event_data.TargetUserName" failed_user, count(*) NoOfFailures from (select __time__, computer_name, "event_data.TargetUserName", "event_data.TargetDomainName" TargetDomainName_prev, event_id, lag(event_id, 1, '4624') over(PARTITION BY  computer_name, "event_data.TargetUserName" order by __time__,record_number   ) as pre_event_id from log   limit 10000)  where event_id='4625' and pre_event_id='4625' and TargetDomainName_prev= 'LOGSRCHDEMO' and computer_name is not null group by date_trunc('minute' ,__time__) , computer_name, "event_data.TargetUserName"

Create Custom Tables and Use Custom OSS Backed Tables in Dashboards

* | create table spk_demo_assets ( computer_name varchar,severity varchar,  owner varchar) with ( bucket='spk-logsrchdemo',endpoint='oss-ap-southeast-2.aliyuncs.com',accessid='LTAIH005FxpyZpRg',accesskey ='XL6otNimuROIJKQvcrT5RgLjWDg33R',objects=ARRAY['high_value_assets_unix.csv'],type='oss')

Consecutive Logon Failure against High Value Assets

(event_id: 4625  or event_id: 4624)   | select date_format(date_trunc('minute', __time__), '%m-%d %H:%i') as time, computer_name, severity AssetValue, user, count(1) as consecutive_failures from (select l.__time__, l.computer_name, l."event_data.TargetUserName" as user, l.event_id, "event_data.TargetDomainName" TargetDomainName, lag(l.event_id, 1, '4624') over(PARTITION BY  l.computer_name, l."event_data.TargetUserName" order by l.__time__,l.record_number   ) as pre_event_id, r.severity  from log  l left join spk_demo_assets r on l.computer_name = r.computer_name  limit 10000)  where event_id='4625' and pre_event_id='4625' and severity='high' and TargetDomainName = 'LOGSRCHDEMO'  group by date_format(date_trunc('minute', __time__), '%m-%d %H:%i') , computer_name, severity, user order by time desc limit 100

Data Presentation on Dashboard

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store